Software Development

What is the best way to implement "Policy as Code" for Kubernetes cluster security?

BR Asked by Brandon Taylor · 12-10-2023
0 upvotes 15,918 views 0 comments
The question

As we scale our microservices, we are finding it impossible to manually check every YAML file for security misconfigurations like "Running as Root" or "Missing Resource Limits." I’ve looked into OPA (Open Policy Agent) and Kyverno. Which one is easier for a DevSecOps team to manage in the long run? We want to block non-compliant deployments at the admission control level while also providing clear feedback to the developers on why their deployment was rejected.

 

3 answers

0
CY
Answered on 14-10-2023

If your team is already comfortable with YAML, Kyverno is the clear winner. Unlike OPA, which requires learning a new language called Rego, Kyverno policies are written in standard Kubernetes YAML. This makes it much easier for developers to read and write their own policies. Kyverno can also "mutate" resources, such as automatically adding required labels or sidecars. For a DevSecOps workflow, you should run these policies in 'Audit' mode first to see the impact, and then switch to 'Enforce' once you've cleaned up existing technical debt. This automated governance is essential for maintaining a "Secure by Default" infrastructure at scale.

0
KE
Answered on 17-10-2023

Have you considered integrating your policy checks into the CI pipeline using a tool like 'conftest' so developers get feedback before they even try to apply the YAML to the cluster? 

18-10-2023

Kevin, we just started doing that with OPA. By running 'conftest' in our GitLab CI runner, the developer sees the "Security Denied" message right in their Merge Request. This "Shift Left" strategy is great because it prevents the cluster's Admission Controller from becoming a bottleneck. The developer fixes the configuration in Git, and by the time it reaches the cluster, it's already guaranteed to be compliant. We also use these same Rego files to scan our Terraform templates, which gives us a unified "Policy as Code" layer across both our infrastructure and our container orchestration.

0
BA
Answered on 21-10-2023

OPA Gatekeeper is more powerful if you have complex logic that needs to look at data outside of the current YAML file, but for 90% of security use cases, Kyverno is much faster to deploy. 

BR 22-10-2023

Exactly, Barbara. We chose Kyverno because we didn't want to spend three months teaching our SREs a new programming language just to enforce basic resource quotas.

Share your thoughts

Your email address will not be published. Required fields are marked (*)

Professional Counselling Session

Still have questions?
Schedule a free counselling session

Our experts are ready to help you with any questions about courses, admissions, or career paths. Get personalized guidance from industry professionals.

Request a Call Back

Search Online

We Accept

We Accept

Follow Us

"PMI®", "PMBOK®", "PMP®", "CAPM®" and "PMI-ACP®" are registered marks of the Project Management Institute, Inc. | "CSM", "CST" are Registered Trade Marks of The Scrum Alliance, USA. | COBIT® is a trademark of ISACA® registered in the United States and other countries.

Book Free Session